oauthserver: preserve headers used by RequestHeaderIdentityProvider

Author: liouk

pkg/oauthserver/oauth_apiserver.go

@@ -345,15 +345,14 @@ func (c *OAuthServerConfig) buildHandlerChainForOAuth(startingHandler http.Handl
 		panic(err)
 	}
 
-	// add back the Authorization header so that WithOAuth can use it even after WithAuthentication deletes it
-	// WithOAuth sees users' passwords and can mint tokens so this is not really an issue
-	handler = headers.WithRestoreAuthorizationHeader(handler)
+	// restore the Authorization and any extra provider headers
+	handler = headers.WithRestoreOAuthHeaders(handler, c.ExtraOAuthConfig.Options)
 
 	// this is the normal kube handler chain
 	handler = genericapiserver.DefaultBuildHandlerChain(handler, genericConfig)
 
-	// store a copy of the Authorization header for later use
-	handler = headers.WithPreserveAuthorizationHeader(handler)
+	// store a copy of the Authorization and any extra provider headers for later use
+	handler = headers.WithPreserveOAuthHeaders(handler, c.ExtraOAuthConfig.Options)
 
 	// protected endpoints should not be cached
 	handler = headers.WithStandardHeaders(handler)

pkg/server/headers/oauthbasic.go

@@ -1,27 +1,57 @@
 package headers
 
-import "net/http"
+import (
+	"net/http"
+
+	osinv1 "github.com/openshift/api/osin/v1"
+)
 
 const (
-	authzHeader     = "Authorization"
-	copyAuthzHeader = "oauth.openshift.io:" + authzHeader // will never conflict because : is not a valid header key
+	authzHeader      = "Authorization"
+	headerCopyPrefix = "oauth.openshift.io:" // will never conflict because : is not a valid header key
 )
 
-func WithPreserveAuthorizationHeader(handler http.Handler) http.Handler {
+func preservedHeaders(oauthConfig *osinv1.OAuthConfig) []string {
+	// compile a list of headers that should be preserved lest any handler in the kube chain deletes them
+	// so that WithOAuth can use them even after WithAuthentication deletes them
+	// WithOAuth sees users' passwords and can mint tokens so this is not really an issue
+	preservedHeaders := make([]string, 0)
+	for _, identityProvider := range oauthConfig.IdentityProviders {
+		switch provider := identityProvider.Provider.Object.(type) {
+		case *osinv1.RequestHeaderIdentityProvider:
+			preservedHeaders = append(preservedHeaders, provider.Headers...)
+			preservedHeaders = append(preservedHeaders, provider.PreferredUsernameHeaders...)
+			preservedHeaders = append(preservedHeaders, provider.NameHeaders...)
+			preservedHeaders = append(preservedHeaders, provider.EmailHeaders...)
+		}
+	}
+
+	return preservedHeaders
+}
+
+func WithPreserveOAuthHeaders(handler http.Handler, oauthConfig osinv1.OAuthConfig) http.Handler {
+	headers := append(preservedHeaders(&oauthConfig), authzHeader)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if vv, ok := r.Header[authzHeader]; ok {
-			r.Header[copyAuthzHeader] = vv // capture the values before they are deleted
+		for _, header := range headers {
+			if vv, ok := r.Header[header]; ok {
+				headerCopy := headerCopyPrefix + header
+				r.Header[headerCopy] = vv // capture the values before they are deleted
+			}
 		}
 
 		handler.ServeHTTP(w, r)
 	})
 }
 
-func WithRestoreAuthorizationHeader(handler http.Handler) http.Handler {
+func WithRestoreOAuthHeaders(handler http.Handler, oauthConfig osinv1.OAuthConfig) http.Handler {
+	headers := append(preservedHeaders(&oauthConfig), authzHeader)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if vv, ok := r.Header[copyAuthzHeader]; ok {
-			r.Header[authzHeader] = vv // add them back afterwards for use in OAuth flows
-			delete(r.Header, copyAuthzHeader)
+		for _, header := range headers {
+			headerCopy := headerCopyPrefix + header
+			if vv, ok := r.Header[headerCopy]; ok {
+				r.Header[header] = vv // add them back afterwards for use in OAuth flows
+				delete(r.Header, headerCopy)
+			}
 		}
 
 		handler.ServeHTTP(w, r)